Cloud Storage of Personal Data: Your Business’ Data Protection Obligations

Last updated on December 27, 2018

Featured image for the "Cloud Storage of Personal Data: Your Business' Data Protection Obligations" article. It features connected servers in front of an image of a cloud.

There are many benefits of cloud storage, including the ease of accessibility to data and the ability to remotely back data up. It is no wonder that businesses are increasingly looking to store their data in the cloud.

And now, you’re considering doing the same for your business.

As many cloud service providers have their servers located outside of Singapore, storing your business’ data in the cloud will likely require you to transfer your data overseas. However you have to be sure that the transfer complies with Singapore’s data protection laws under the Personal Data Protection Act (PDPA).

Is the Data I Want to Transfer Subject to the PDPA’s Protections?

The PDPA protects “personal data”, which includes data about individuals who can be identified from such data (whether such data is true or not).

Therefore so long as the data you possess about individuals allows them to be identified from such data, that data will be considered “personal data” that is subject to the PDPA’s protections. Examples of such data include the NRIC numbers and/or addresses of your customers.

Restrictions on the Transfer of Personal Data Overseas

After determining which of your data constitutes “personal data”, you will then have to know the restrictions to be complied with when transferring personal data overseas.

Before transferring personal data overseas, you have to:

  1. Take appropriate steps to ensure that you will handle the transferred data in accordance with the PDPA’s data protection laws, while this data is still in your possession/under your control; and
  2. Take appropriate steps to check whether, and ensure that, the recipient of the personal data is bound by legally enforceable obligations to provide the transferred data a standard of protection that is at least comparable to the PDPA’s protections.

Requirement to take appropriate steps to ensure that you will handle the transferred data in accordance with the PDPA’s data protection laws, while this data is still in your possession/under your control

You will be taken to have fulfilled this requirement if:

  • The individual, who is the subject of the personal data, consents to the transfer of personal data;
  • The transfer is necessary for you to perform a contract with the individual, or to do anything the individual asked you to do with the view of entering into a contract with him;
  • The transfer is necessary to conclude or perform a contract which the individual asked you to enter with a third-party;
  • The transfer is necessary to conclude or perform a contract you entered with a third-party, if a reasonable person would consider the contract to be in the individual’s interest; or
  • The personal data is publicly available in Singapore.

Before the individual gives his consent, you are required to give him a reasonable summary in writing of the extent to which his personal data will be protected to a standard comparable to the protection under the PDPA when it is transferred.

Requiring the individual to consent to the transfer as a condition of providing him a product or service does not constitute consent, unless the transfer is reasonably necessary to provide him with such product or service.

Obtaining the individual’s consent through deceptive or misleading practices, such as providing false information about the transfer, also does not count.

Also, even if the individual has given his consent to the transfer, he may still withdraw his consent later on.

Read our other article for more information on the consent requirements under the PDPA.

Requirement to take appropriate steps to check whether, and ensure that, the recipient of the personal data is bound by legally enforceable obligations to provide the transferred data a standard of protection that is at least comparable to the PDPA’s protections

“Legally enforceable obligations” include obligations imposed on the recipient of personal data under:

  • Any law;
  • Any contract that specifies the countries/territories that the personal data may be transferred to, and requires the recipient of the transferred personal data to provide a standard of protection for the data at least comparable to the protection under the PDPA;
  • Any binding corporate rules; or
  • Any other legally binding instrument.

If you are using a contract to impose such obligations on the recipient, the clauses in the contract should minimally include the protections for personal data:

  • Purpose of collection, use and disclosure by recipient
  • Accuracy
  • Protection
  • Retention limitation
  • Policies on personal data protection
  • Access
  • Correction

More information on these protections may be found in the PDPA.

The Personal Data Protection Commission, which administers and enforces the PDPA, has provided the following example on how a business may comply with the PDPA when intending to transfer personal data overseas:

“Cedric is a client of Organisation GHI. Organisation GHI notifies Cedric in writing that it is adopting a cloud-based solution to store and analyse its client data, which includes personal data such as clients’ identification details, address, contact details and income range, and asks for Cedric’s consent to move his client data to the cloud-based solution. Organisation GHI also provides Cedric with a written summary of the extent to which Cedric’s personal data will be protected to a standard comparable to that under the PDPA, in the countries and territories that it will be transferred to. Should Cedric provide his consent, Organisation GHI would be able to transfer his personal data in compliance with the Transfer Limitation Obligation.”

Cloud Security Standards

You may also be interested to know that Singapore’s Information Technology Standards Committee has developed a cloud security standard which certifies cloud-service providers based on the levels of security service they provide to clients.

Known as the Multi-Tier Cloud Security Singapore Standard 584, this standard will allow businesses to make informed decisions on whether a particular cloud service provider provides sufficient protection for their data in the cloud.

If you require legal advice on your business’ legal obligations when storing personal data in the cloud, feel free to get in touch with one of our data protection lawyers.

  1. What are Annual General Meetings (AGMs) in Singapore?
  2. Anti-Money Laundering Regulations and Your Business: What You Need to Know
  3. Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
  4. Dividend Payments Guide for Singapore Business Owners
  5. Company Audits in Singapore: Requirements and Exemptions
  6. Guide to Transferring Shares in a Singapore Private Company
  7. How to Hold Extraordinary General Meetings (EGMs) in Singapore
  8. How to Issue Shares in a Singapore Private Company
  9. How to Reduce the Share Capital of Your Singapore Company
  10. Legally Conducting Lucky Draws for Singapore Businesses
  11. Dormant Companies and Their Filing Obligations in Singapore
  12. How to Hold a Board Meeting in Singapore
  13. Can Directors be Liable for Company Debts in Singapore?
  14. Paid-Up Capital in Singapore: A Complete Guide (Is $1 Enough?)
  15. Restaurant Inspection and Food Safety Rules in Singapore
  16. Preparing a Register of Shareholders for a Singapore Company
  17. Essential Regulatory Compliance Guide for Singapore Companies
  18. Finding a Suitable Corporate Secretarial Firm in Singapore
  19. Oppression of Minority Shareholders
  20. Process Agents in Singapore
Company Management
  1. Shadow Directors: Who are They and What Duties Do They Owe to the Company?
  2. Guide to Directors' Remuneration in Singapore
  3. 3 Types of Insurance Every Singapore Business Needs
  4. How to Change the Name of Your Singapore Company
  5. How to Remove a Director from a Company in Singapore
  6. Appointing Company Directors in Singapore: Eligibility, Process etc.
  7. Company Loans to Directors/Shareholders (& Vice Versa) in Singapore
  8. Share Transmission: What Happens If a Shareholder Dies in Singapore?
  9. Business Will: How to Pass on Your Business to Your Successors in Singapore
  10. Shareholder Rights in Singapore Private Companies
  11. Removal and Resignation of Company Auditor in Singapore
  12. Shareholder Roles and Obligations in Singapore Companies
  13. Creating and Registering Charges in Singapore: Guide for Companies
  14. How to Commence a Derivative Action on Behalf of a Company in Singapore
  15. Managing Director vs CEO in Singapore: Roles and Obligations
  16. Appointing an Authorised Representative for Foreign Companies in Singapore
  17. Business Partnership Disputes in Singapore: How to Resolve
  18. Guide to Effective Business Continuity Planning in Singapore
  19. Buy-Sell Agreements: How to Write & Fund Them in Singapore
  20. Voluntary Suspension of Business in Singapore: How to Handle
  21. Business Asset Sale & Disposal in Singapore: How Do They Work?
  22. Appointing a Company Secretary: Roles and Responsibilities
  23. Directors' Duties in Singapore
Company Documents
  1. Company Constitutions in Singapore and How to Draft One
  2. Company Memorandum and Articles of Association
  3. Minutes of Company Meeting in Singapore: How to Record
  4. Guide to Filing Financial Statements for Singapore Business Owners
  5. Filing Annual Returns For Your Business
  6. Memorandum of Understanding (MOU): Does Your Business Need One?
  7. Company Resolutions: What are They?
  8. Board Resolutions in Singapore
  9. Your Guide to Share Certificates in Singapore: Usage and How to Prepare
  10. How to Set Up a Register of Controllers
  11. How to Set Up a Register of Nominee Directors
Tax and Accounting
  1. What is Withholding Tax and When to Pay It in Singapore
  2. Singapore Influencers: Here's How to Calculate Your Income Tax
  3. Corporate Tax in Singapore: How to Pay, Tax Rate, Exemptions
  4. When to Register for GST, How and Responsibilities after Registration
  5. Start-Up Tax Exemption Guide for New Singapore Companies
  6. Tax Investigation of Tax-Evading Business Owners in Singapore
  7. Small Business Accounting Services in Singapore
Data Protection
  1. Essential PDPA Compliance Guide for Singapore Businesses
  2. Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
  3. How Can Companies Dispose of Documents Containing Personal Data?
  4. Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
  5. Appointing a Data Protection Officer For Your Business: All You Need to Know
  6. Summary: Your Organisation's 9 Main PDPA Obligations
  7. Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
  8. GDPR Compliance in Singapore: Is it Required and How to Comply
  9. Drafting a Comprehensive Privacy Policy For Your Singapore Website
  10. Is It Legal for Businesses to Ask for Your NRIC in Singapore?
  11. PDPA Consent Requirements: How Can Your Business Comply?
  12. Legal Options If Employees Breach Confidentiality in Singapore
  13. Your Guide to a Media Release Form in Singapore
  1. Complying with Singapore Law When Sending Email Newsletters
  2. Outdoor Advertising: How to Legally Display Public Ads in Singapore
  3. A legal guide to drafting a social media policy for your company
  4. Dealing with Defamation of Your Business: Can You Sue?
  1. Starting a Franchise in Singapore: What Franchisors Should Look Out For
  2. Running a Franchise in Singapore: What To Look Out for as a Franchisee
Debt Restructuring
  1. Informal Debt Restructuring and Workout in Singapore
  2. Schemes of Arrangement: How They Work and How to Apply
  3. What is Judicial Management and How It Works in Singapore
Ending a Business
  1. Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
  2. Striking Off a Company
  3. What Should a Creditor Do When a Company Becomes Insolvent?
  4. Dissolution of partnerships in Singapore
  5. Validation of Payments Made by Companies Being Wound Up
  6. Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
  7. Closing Your Singapore Business: What You Need to Settle
  8. How to File a Proof of Debt against a Company in Liquidation
  9. Winding Up a Company